public inbox for libc-help@sourceware.org
 help / color / mirror / Atom feed
From: varun mittal <vmittal05@gmail.com>
To: libc-help@sourceware.org
Subject: Understanding 'initgroups' behavior in nsswitch.conf
Date: Thu, 10 Feb 2022 13:08:42 +0530	[thread overview]
Message-ID: <CA+RDaRBCPS5L6cEotY4GXq6kvCcJSg7pHG_bS_rAy_7-OEaVvA@mail.gmail.com> (raw)

Hi

Working on a CentOS machine, with GlibC 2.17 I am struggling to find a
configuration which disables group lookup for local users on remote
directories.

Then then I thought maybe initgroups can help but it doesn't seem to work

My nsswitch.conf

passwd:     compat ldap lsass
shadow:     files
group:      files nis ldap lsass
hosts:      files dns nis
protocols:  files
rpc:        files
services:   files
initgroups: files nis ldap lsass

This is the code snippet of glibc internal_getgrouplist function

133       /* For compatibility reason we will continue to look for more
134    entries using the next service even though data has already
135    been found if the nsswitch.conf file contained only a 'groups'
136    line and no 'initgroups' line.  If the latter is available
137    we always respect the status.  This means that the default
138    for successful lookups is to return.  */
139       if ((use_initgroups_entry || status != NSS_STATUS_SUCCESS)
140     && nss_next_action (nip, status) == NSS_ACTION_RETURN)
141    break;

It looks like it should honor the initgroups config, but it doesn't seem
to, reason being the _nss_files_initgroups_dyn function returns
NSS_STATUS_NOTFOUND when the local user has only 1 primary group and no
secondary groups The relevant code snippet from _nss_files_initgroups_dyn is

95       if (res > 0 && grp.gr_gid != group)

Which boils down to

"If user is not part of any secondary group, the group lookup will
always go to other databases, irrespective to initgroups in
nsswitch.conf"

Is my understanding correct ? If yes, any reason why this has been
implemented this way ?

How do I get the desired behavior that local user's group lookup
should never go to remote databases.

In my case, if the remote directory ports are blocked or the remote
directory is slow to respond, the service doing the lookup goes for a
total hang.

Our product ships with default nsswitch.conf and is not configurable
by the end user. I need to have a static nsswitch.conf file with all
the possible db's listed.


Thanks n regards
Mittal

             reply	other threads:[~2022-02-10  7:38 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-10  7:38 varun mittal [this message]
2022-02-16 12:28 ` varun mittal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+RDaRBCPS5L6cEotY4GXq6kvCcJSg7pHG_bS_rAy_7-OEaVvA@mail.gmail.com \
    --to=vmittal05@gmail.com \
    --cc=libc-help@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).